Protect Your Windows Network

Jesper M. Johansson, Microsoft's Senior Program Manager for Security Policy, is responsible for the tools Microsoft customers use to implement security policies, including the Security Configuration Wizard and Editor. A frequent speaker at leading security events, he holds a Ph.D. in MIS, as well as CISSP and ISSAP certification. Steve Riley, Senior Program Manager in Microsoft's Security Business and Technology unit, specializes in network/host security, protocols, network design, and security policies and processes. He has conducted security assessments and risk analyses, deployed security technologies, and designed highly available network architectures for ISPs, ASPs, and major enterprises. © Copyright Pearson Education. All rights reserved.

Acknowledgments.

About the Authors.

Preface.

I. INTRODUCTION AND FUNDAMENTALS.

1. Introduction to Network Protection.

    Why Would Someone Attack Me?

    Nobody Will Ever Call You to Tell You How Well the Network Is Working

    Introduction to the Defense-in-Depth Model

    The Defender's Dilemma

    Summary

    What You Should Do Today

2. Anatomy of a Hack-The Rise and Fall of Your Network.

    What a Penetration Test Will Not Tell You

    Why You Need To Understand Hacking

    Target Network

    Network Footprinting

    Initial Compromise

    Elevating Privileges

    Hacking Other Machines

    Taking Over the Domain

    Post-mortem

    How to Get an Attacker Out of Your Network

    Summary

    What You Should Do Today

3. Rule Number 1: Patch Your Systems.

    Patches Are a Fact of Life

    Exercise Good Judgment

    What Is a Patch?

    Patch Management Is Risk Management

    Tools to Manage Security Updates

    Advanced Tips and Tricks

    Slipstreaming

    Summary

    What You Should Do Today

II. POLICIES, PROCEDURES, AND USER AWARENESS.

4. Developing Security Policies.

    Who Owns Developing Security Policy

    What a Security Policy Looks Like

    Why a Security Policy Is Necessary

    Why So Many Security Policies Fail

    Analyzing Your Security Needs to Develop _Appropriate Policies

    How to Make Users Aware of Security Policies

    Procedures to Enforce Policies

    Dealing with Breaches of Policy

    More Information

    Summary

    What You Should Do Today

5. Educating Those Pesky Users.

    System Administration ? Security Administration

    Securing People

    The Problem

    Protecting People

    Plausibility + Dread + Novelty = Compromise

    Things You Should Do Today

III. PHYSICAL AND PERIMETER SECURITY: THE FIRST LINE OF DEFENSE.

6. If You Do Not Have Physical Security, You Do Not Have Security.

    But First, a Story

    It's a Fundamental Law of Computer Security

    The Importance of Physical Access Controls

    Protecting Client PCs

    The Case of the Stolen Laptop

    The Family PC

    No Security, Physical or Otherwise, Is Completely Foolproof

    Things You Should Do Today

7. Protecting Your Perimeter.

    The Objectives of Information Security

    The Role of the Network

    Start with (What's Left of) Your Border

    Next, Use the Right Firewall

    Then, Consider Your Remote Access Needs

    Finally, Start Thinking About "Deperimeterization"

    Things You Should Do Today

IV. PROTECTING YOUR NETWORK INSIDE THE PERIMETER.

8. Security Dependencies.

    Introduction to Security Dependencies

    Administrative Security Dependencies

    Service Account Dependencies

    Mitigating Service and Administrative Dependencies

    Other Security Dependencies

    Summary

    What You Should Do Today

9. Network Threat Modeling.

    Network Threat Modeling Process

    Document Your Network

    Segment Your Network

    Restrict Access to Your Network

    Summary

    What You Should Do Today

10. Preventing Rogue Access Inside the Network.

    The Myth of Network Sniffing

    Network Protection at Layers 2 and 3

    Using 802.1X for Network Protection

    Using IPsec for Network Protection

    Network Quarantine Systems

    Summary

    What You Should Do Today

11. Passwords and Other Authentication Mechanisms-The Last Line of Defense.

    Introduction

    Password Basics

    Password History

    What Administrators Need to Know About Passwords

    Password Best Practices

    Recommended Password Policy

    Better Than Best Practices-Multifactor Authentication

    Summary

    What You Should Do Today

V. PROTECTING HOSTS.

12. Server and Client Hardening.

    Security Configuration Myths

    On to the Tweaks

    Top 10 (or so) Server Security Tweaks

    Top 10 (or so) Client Security Tweaks

    The Caution List-Changes You Should Not Make

    Security Configuration Tools

    Summary

    What You Should Do Today

VI. PROTECTING APPLICATIONS.

13. Protecting User Applications.

    Patch Them!

    Make Them Run As a Nonadmin

    Turn Off Functionality

    Restrict Browser Functionality

    Attachment Manager

    Spyware

    Security Between Chair and Keyboard (SeBCAK)

    Summary

    What You Should Do Today

14. Protecting Services and Server Applications.

    You Need a Healthy Disrespect for Your Computer

    Rule 1: All Samples Are Evil

    Three Steps to Lowering the Attack Surface

    What About Service Accounts?

    Privileges Your Services Do Not Need

    Hardening SQL Server 2000

    Hardening IIS 5.0 and 6.0

    Summary

    What You Should Do Today

15. Security for Small Businesses.

    Protect Your Desktops and Laptops

    Protect Your Servers

    Protect Your Network

    Keep Your Data Safe

    Use the Internet Safely

    Small Business Security Is No Different, Really

    What You Should Do Today

16. Evaluating Application Security.

    Caution: More Software May Be Hazardous to Your Network Health

    Baseline the System

    Things to Watch Out For

    Summary

    What You Should Do Today

VII. PROTECTING DATA.

17. Data-Protection Mechanisms.

    Security Group Review

    Access Control Lists

    Layers of Access Control

    Access Control Best Practices

    Rights Management Systems

    Incorporating Data Protection into Your Applications

    Protected Data: Our Real Goal

    What You Should Do Today

Appendix A: How to Get Your Network Hacked in 10 Easy Steps.

Appendix B: Script To Revoke SQL Server PUBLIC Permissions.

Appendix C. HOSTS file to Block Spyware.

Appendix D. Password Generator Tool.

    -g (Generate Password Based on Known Input)

    -r (Generate Random Password)

    -s (Set a Password on an Account and/or Service)

    Security Information

    Usage Scenarios

Appendix E: 10 Immutable Laws of Security.

    Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

    Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.

    Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

    Law #4: -If you allow a bad guy to upload programs to your Web site, it's not your Web site any more.

    Law #5: Weak passwords trump strong security.

    Law #6: A computer is only as secure as the administrator is trustworthy.     Law #7: Encrypted data is only as secure as the decryption key.

    Law #8: An out-of-date virus scanner is only marginally better than no virus scanner at all.

    Law #9: Absolute anonymity isn't practical, in real life or on the Web.     Law #10: Technology is not a panacea.

Index.